Security

Multi-Signature Wallet Drained by Sophisticated Phishing Attack

A deceptive phishing attack leveraged fake Etherscan verification and Safe Multi Send to bypass multi-signature wallet security, resulting in significant asset loss.
September 16, 20253 min

A modern, elongated device features a sleek silver top and dark base, with a transparent blue section showcasing intricate internal clockwork mechanisms, including visible gears and ruby jewels. Side details include a tactile button and ventilation grilles, suggesting active functionality
The image showcases a detailed, abstract representation of an interconnected network, featuring translucent blue conduits joined by metallic cylindrical connectors. A vibrant blue substance appears to flow through the central transparent structures, suggesting dynamic movement within the system

Briefing

A sophisticated phishing campaign successfully compromised a 2-of-4 Safe multi-signature wallet, leading to the unauthorized transfer of $3.047 million in USDC. The attacker leveraged a meticulously crafted, fake Etherscan-verified contract to obscure malicious approval requests within seemingly legitimate Safe Multi Send transactions. This incident underscores a critical evolution in social engineering tactics, targeting the inherent trust in verified contract interfaces and multi-signature operational flows. The immediate consequence involved the swift exfiltration of funds, which were subsequently converted to Ethereum and routed through a privacy protocol, complicating recovery efforts.

The image displays a partially opened spherical object, revealing an inner core and surrounding elements. Its outer shell is white and segmented, fractured to expose a vibrant blue granular substance mixed with clear, cubic crystals

Context

Prior to this incident, the digital asset landscape observed a persistent threat from phishing, often targeting individual users through direct wallet connection requests or malicious links. This attack represents an escalation, moving beyond basic impersonation to exploit the perceived legitimacy of Etherscan verification and the complexity of multi-signature transaction bundling. The prevailing attack surface included user vigilance against transaction details and the implicit trust placed in established on-chain verification mechanisms.

A transparent, faceted cylinder with internal gearing interacts with a complex, white modular device emitting a vibrant blue light. This imagery powerfully symbolizes the convergence of advanced cryptography and distributed ledger technologies

Analysis

The attack vector involved a multi-stage social engineering exploit targeting the victim’s multi-signature wallet and interaction with the Request Finance app. The attacker deployed a counterfeit, Etherscan-verified contract nearly two weeks in advance, pre-programming it with multiple “batch payment” functions to appear legitimate. On the day of the exploit, a malicious approval was executed through the Request Finance app interface.

This approval was artfully disguised within the Safe Multi Send mechanism, allowing the attacker to bypass standard scrutiny by mimicking the first and last characters of a legitimate recipient address. This chain of events enabled the attacker to gain unauthorized access to and drain the victim’s USDC holdings.

Close-up view of intricate metallic modular components, primarily silver with distinct blue highlights, embedded within a light blue, porous, and textured material. These modules are arranged linearly, suggesting a complex, interconnected system partially submerged in the foamy substance

Parameters

  • Targeted Protocol/Wallet → 2-of-4 Safe multi-signature wallet
  • Vulnerability Type → Sophisticated phishing via fake Etherscan-verified contract and Safe Multi Send exploit
  • Financial Impact → $3.047 Million USDC
  • Blockchain(s) AffectedEthereum
  • Attack Date → September 11, 2025
  • Funds Destination → Ethereum, then Tornado Cash
  • Leveraged Interface → Request Finance app

The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Outlook

Immediate mitigation for users involves heightened scrutiny of all transaction approval requests, particularly those involving batch operations or interactions with third-party interfaces. Protocols must enhance their front-end security to detect and flag interactions with known malicious or mimicked contract addresses. This incident will likely establish new best practices for contract verification processes and necessitate more robust client-side transaction simulation tools to expose hidden malicious payloads. The contagion risk extends to any protocol or user relying on similar multi-send mechanisms without rigorous transaction content validation.

The composition displays a white, porous, organic-textured structure emerging from a smooth, cylindrical form, connecting to a complex, segmented blue spherical mechanism. This intricate digital rendering features fine grooves at the connection point, where the white structure integrates into the blue sphere, which is composed of numerous interconnected block-like components

Verdict

This incident serves as a critical warning, emphasizing the escalating sophistication of social engineering attacks that exploit trust in verified on-chain identities and complex transaction structures.

Signal Acquired from → cryptoslate.com

Micro Crypto News Feeds

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

usdc

Definition ∞ USDC is a prominent stablecoin designed to maintain a fixed value relative to the US dollar.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

transaction approval

Definition ∞ Transaction approval signifies the explicit consent given by a user or authorized party to proceed with a proposed transaction, particularly in digital asset contexts.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

Tags:

Tags: